diff --git a/machines/lisa/default.nix b/machines/lisa/default.nix index 48bb1a6..4f4db35 100644 --- a/machines/lisa/default.nix +++ b/machines/lisa/default.nix @@ -1,6 +1,3 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, pkgs, modulesPath, ... }: { @@ -52,6 +49,7 @@ }; + nix.maxJobs = lib.mkDefault 4; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; @@ -76,4 +74,70 @@ services.zfs.autoScrub.enable = true; system.stateVersion = "21.11"; + + + networking.firewall = { + allowedTCPPorts = [ ]; + allowedUDPPorts = [ 51820 ]; + }; + networking.nat.enable = true; + networking.nat.externalInterface = "ens20"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.wireguard.interfaces = { + wg0 = { + ips = [ "10.100.0.1/24" ]; + listenPort = 51820; + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens20 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens20 -j MASQUERADE + ''; + + privateKeyFile = "/root/wg-private"; + peers = [ + { + allowedIPs = [ "10.100.0.2/32" ]; + publicKey = "WQoOWKT6VFn9p8vyLdI1n8tg8IRX1t7tCWXOa1zcHRU="; + } + { + allowedIPs = [ "10.100.0.3/32" ]; + publicKey = "Pp4dQhhdokqYD1JBh+HLoqBbC+FEs64qzXHWfXyu2VE="; + } + { + allowedIPs = [ "10.100.0.4/32" ]; + publicKey = "1d10sX645HAbXeXbvAs2zgjsoYgfg7d2UCQV1xKoY3s="; + } + { + allowedIPs = [ "10.100.0.5/32" ]; + publicKey = "3BlHbLcL05UObnlIWrC/TMjZKdxrH8HTm8h0xxzAWA8="; + } + { + allowedIPs = [ "10.100.0.6/32" ]; + publicKey = "ifMWTkMWpjibnthrRNPtfp2xcgqGQGng3XieVO7Lvzg="; + } + { + allowedIPs = [ "10.100.0.7/32" ]; + publicKey = "TAIP4faPBx6gk1cifC6fdfIP6slo1ir+HMVKxQXBejo="; + } + { + allowedIPs = [ "10.100.0.8" ]; + publicKey = "EmWRWnZfr60ekm4ZLdwa6gXU6V3p39p6tWOZ03dL+DA="; + } + ]; + + }; + }; + + + + + + + + + + }